I had recently upgraded from OS X 10.10 (Yosemite) to OS X 10.11 (El Capitan) from a bootable drive that the Genius Bar of one of the my city's Apple stores has, and I installed the 10.11.1 update from my home wifi network. The Macbook I currently use is about a month old. I practise safe browsing practices and I have Little Snitch installed.

I've been (maybe overly) paranoid recently because on my old machine, I was definitely compromised due to cracked software (lesson learnt), so I erased the hard drive and reinstalled the OS from a bootable drive at an Apple approved repair centre, but I kept noticing behaviour I would deem suspicious. Reinstalling the OS from a base backup, changing all passwords, then noticing strange behaviour. Just an endless cycle of doing this.

And even on this new Macbook. After another erase of the HD and a reinstall from a base backup I made at the Apple store for this new Macbook, I've been noticing strange or suspicious behaviour. In this instance, I signed into iCloud on my Macbook and my iPhone where I removed all calendar entries previously added and manually re-added all entries after the process of changing all my passwords. This was at night time.

So far, so good. The next morning when I turn my Macbook on for the first time of the day and check my calendar, one entry was edited that I definitely did not and would not edit. I narrowed down the time of the edit between the night I re-added all my entries and when I turned on my Macbook for the first time the next day - I did so by restoring the latest backup of the calendar (dated 'today XX:XXam') that is available when one signs into iCloud via a browser (the backup had the edit I did not make).

Now, I use Little Snitch to monitor network activity. I don't notice anything unusual when I'm actually using my Macbook (except for maybe a random connection attempt to google.com on port 80 when all my Google connections are via port 443?).

But given that potentially, whoever/whatever could've edited my calendar entry did so when I was asleep and my Macbook wasn't on, observing Little Snitch for unusual network activity when I'm actually using my Macbook would be pointless, yes?

I'm not sure what to do at this point. I've erased and reinstalled many times and I always notice something worthy of suspicion.

Edit:

It's not a shared calendar and I haven't wilfully given anyone my Apple ID details.

If this compromise wasn't still freaking me out a little bit, the "strange behaviour" probably wouldn't be considered strange. Sometimes I think I'm clicking the keyboard shortcut for a new tab. But Chrome closes the current open window, yet the application is still open. When I click the application icon in my dock, the window with everything I browsing pops back up. Generally speaking, you would see that minimised browser in your dock, but it never does appear there. Also just jittery/quick up/down movements in Chrome at speeds not observed by normal keyboard up/down shortcuts. This could just be a bug in Chrome itself but I'm not too sure. Sometimes I would get connection alerts for websites I am 100% sure I would've made permanent the first time I got them. It could be a dev bug, but given that making rules about what you allow/deny permanent is a really important part of LS, I figure the devs would make strides to fix it ASAP if it was a bug.

The automatic backup before the one with the strange edit is irrelevant because it was a backup of when I had made a previous restore.

Let's assume this base backup I made at the Apple store (the reinstalled OS, four third-party applications [Chrome, Little Snitch, Flux and the Spotify laptop app] all directly downloaded from the devs, and a couple of podcasts from the iTunes store) is somehow compromised (I did download these things via the store's unsecured wifi). Somehow, there's a backdoor or a RAT on the backup.

I only have a basic working knowledge of infosec, but I presume with malware of that nature, it's possible for someone to access the iCloud-connected Calendar app on my laptop as if they were physically sitting in front of my Macbook. Because I narrowed the time the edit was made when I was asleep and my Macbook was off, I figure that the person who made the edit is potentially in a different timezone.

Please clarify your specific problem or add additional details to highlight exactly what you need. As it's currently written, it’s hard to tell exactly what you're asking. See the How to Ask page for help clarifying this question. If this question can be reworded to fit the rules in the help center, please edit the question.

I'm not sure what the title has to do with the question. Could the change have been made using your online iCloud account?
– schroeder♦Oct 29 '15 at 20:57

1

If you keep on reinstalling and that doesn't fix things, maybe the problem is remote as @schroeder suggests
– Neil SmithlineOct 29 '15 at 21:36

I've never used Little Snitch. Is it possible for you to have it log overnight and review that log for anything suspicious?
– user72066Oct 29 '15 at 21:42

@schroeder I thought that could be an option, but I always receive a email notification that I've signed into my iCloud account via a browser (there was none in my inbox) because I never choose the remember this browser option. As a result, I always have to go through a 2-step authenticaiton process - I either get an SMS sent to my phone or the code pops up on my home screen as I have Find My iPhone enabled.
– oats58459Oct 30 '15 at 4:50

@SourLolita I'm not entirely sure. According to a dev, the real-time log "stores the connections it its memory as long as it runs (i.e. usually as long as your system runs)." But sometimes it goes on the fritz and wipes some of its history, even though I have set my preferences to no time limit as to what it logs. I could leave my machine on overnight and set it to automatically deny all connection attempts and see what it denied but given that the real-time log freezes up sometimes I don't know if that's the best option, even if it seems like the only one at this point.
– oats58459Oct 30 '15 at 5:09